6.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled

Information

GRANT ANY OBJECT PRIVILEGE allows the user to grant or revoke any object privilege, which includes privileges on tables, directories, mining models, etc. Enabling this audit option causes auditing of all uses of that privilege.

Rationale:

Logging of privilege grants that can lead to the creation, alteration, or deletion of critical data, the modification of objects, object privilege propagation and other such activities can be critical to forensic investigations.

Solution

To remediate this setting, execute the following SQL statement, keeping in mind if this needs to be done in both container and pluggable database, you must connect to both places to do the audit statement.

AUDIT GRANT ANY OBJECT PRIVILEGE;

Notes:

This does NOT audit all attempts to grant or revoke object privileges since this can also be done by anyone who was granted an object privilege with the grant option. Also, this never creates an audit record for anyone who does not hold the GRANT ANY OBJECT PRIVILEGE system privilege. Therefore, many attempts, successful or not, to grant and revoke object privileges are not audited by this.

See Also

https://workbench.cisecurity.org/files/2741